Malware Detection Method Based on File and Registry Operations Using Machine Learning

Abstract

Malware (Malicious Software) is any software which performs malicious activities on computer-based systems without the user's consent. The number, severity, and complexity of malware have been increasing recently. The detection of malware becomes challenging because new malware variants are using obfuscation techniques to hide themselves from the malware detection systems. In this paper, a new behavioral-based malware detection method is proposed based on file-registry operations. When malware features are generated, only the operations which are performed on specific file and registry locations are considered. The file-registry operations divided into five groups: autostart file locations, temporary file locations, specific system file locations, autostart registry locations, and DLLs related registry locations. Based on the file-registry operations and where they performed, the malware features are generated. These features are seen in malware samples with high frequencies, while rarely seen in benign samples. The proposed method is tested on malware and benign samples in a virtual environment, and a dataset is created. Well-known machine learning algorithms including C4.5 (J48), RF (Random Forest), SLR (Simple Logistic Regression), AdaBoost (Adaptive Boosting), SMO (Sequential Minimal Optimization), and KNN (K-Nearest Neighbors) are used for classification. In the best case, we obtained 98.8% true positive rate, 0% false positive rate, 100% precision and 99.05% accuracy which is quite high when compared with leading methods in the literature.